The ransomware that knows where you live

  • Published
Ransomware
Image caption,

The ransomware gives users a limited time in which to pay a ransom and recover their files

A widely distributed scam email that quoted people's postal addresses links to a dangerous form of ransomware, according to a security researcher.

Andrew Brandt, of US firm Blue Coat, contacted the BBC after hearing an episode of BBC Radio 4's You and Yours that discussed the phishing scam.

Mr Brandt discovered that the emails linked to ransomware called Maktub.

The malware encrypts victims' files and demands a ransom be paid before they can be unlocked.

The phishing emails told recipients they owed hundreds of pounds to UK businesses and that they could print an invoice by clicking on a link - but that leads to malware, as Mr Brandt explained.

One of the emails was received by You and Yours reporter Shari Vahl.

"It's incredibly fast and by the time the warning message had appeared on the screen it had already encrypted everything of value on the hard drive - it happens in seconds," Mr Brandt told the BBC.

"This is the desktop version of a smash and grab - they want a quick payoff."

Image caption,

Maktub increases the ransom as time elapses

Maktub doesn't just demand a ransom, it increases the fee - which is to be paid in bitcoins - as time elapses.

A website associated with the malware explains that during the first three days, the fee stands at 1.4 bitcoins, or approximately $580. This rises to 1.9 bitcoins, or $790, after the third day.

The phishing emails tell recipients that they owe money to British businesses and charities when they do not.

One of the organisations named was the Koestler Trust, a charity which helps ex-offenders and prisoners produce artwork.

"We rely on generous members of the public and we were very distressed when we discovered that people felt they had received emails from us asking for money, when indeed they had not been generated by us at all," chief executive Sally Taylor told You and Yours.

Addresses included

One remarkable feature of the scam emails was the fact that they included not just the victim's name, but also their postal address.

Many, including BBC staff, have noted that the addresses are generally highly accurate.

According to Dr Steven Murdoch, a cybersecurity expert at the University of London, it's still not clear how scammers were able to gather people's addresses and link them to names and emails.

The data could have come from a number of leaked or stolen databases for example, making it hard to track down the source.

Image caption,

The email demands payment of £800 to a firm You and Yours reporter Shari Vahl had never heard of

Several people contacted the You and Yours team to say that they were concerned data might have been taken from their eBay accounts, as their postal addresses had been stored there in the same format as they appeared in the phishing emails.

In a statement, the firm said: "Ebay works aggressively to protect customer data and privacy, which is our highest priority.

"We are not aware of any link between this new phishing scam and eBay's data.

"We continually update our approach to customer data security in an effort to create the safest environment possible for our customers."

Fraud body 'inundated'

The UK's national fraud and cybercrime reporting centre has been flooded with queries from people targeted by the scam.

"We have been inundated with this," said deputy head Steve Proffitt.

"At Action Fraud on Monday we received an additional 600 calls and from then onwards we've received 500 calls to our contact centre a day," he added.

Mr Proffitt advised people who had received the phishing emails to under no circumstances click on the link, but instead delete the message from their system and inform Action Fraud, external.

Media caption,

Technology explained: what is ransomware?

Referring specifically to Maktub and the approach taken by the phishers, Dr Murdoch said he believed the scam was "significant" in more ways than one.

"It also appears to be quite widespread - I've heard about it from multiple sources so it seems like they were fairly successful getting a lot of these sent out," he told the BBC.

He added that it was hard to know how to advise people who were unfortunate enough to have their files encrypted by ransomware.

For some individuals without backups, paying the ransom might be the only way to retrieve their data.

"However, every person that does that makes the business more valuable for the criminal and the world worse for everyone," he said.

Related internet links

The BBC is not responsible for the content of external sites.